We help IT Professionals succeed at work.

Create a BOVPN between Watchguard X550e and XTM21

MECIT
MECIT asked
on
I am attempting to create a BOVPN between two watchguard devices.A X550e and XTM21.
I have followed the instructions off the WG website. I am still having issues connecting.

I can see the gateway but no tunnel.

I currently have an existing BOVPN to a vendor network and it works.

Does it matter that I used the same external IP to create the second tunnel?
I am using our secondary IPs assigned from our ISP to use on the XTM 21 for external, would that be an issue?

Any suggestions?
Comment
Watch Question

hi ,

I'm not sure what you mean, but you cannot use a secondary ip for a BOVPN.
You cn use 1 IP several times for other tunnels.
Also you can enable logging for ispsec so you can see what's going on:
in policy manager, setup-->logging-->diagnostic logging-->IKE and set it to debug.

then save the config. Now  open system manager-->under traffic monitor-->choose the debug icon(little beetle).
Then see if there are any logs

Author

Commented:
I have the logs running but tte only thing that shows up is the working BOVPN.
The is nothing with the one i just created.
I dont even see it failing.

Do any other policies affectthe BOVPN?
Is there something else I should do?
CERTIFIED EXPERT
Top Expert 2007

Commented:
Have a look at link below:
http://customers.watchguard.com/articles/Article/3002?retURL=%2Fapex%2FknowledgeHome&popup=false

Please check and update.

Thank you.
as i said, you canno use a secondary ip, you need the primary.
modify and test again please

Author

Commented:
I went back and recreated the BOVPN.
I used the default settings and recreated a new shared key and I noticed that I had the incorrect IP on one of the remote gateway on Site A.

Once I meade these changes , The tunnel was created.

However I can not ping anything on either side . From site B, I can not access servers from site A.
CERTIFIED EXPERT
Top Expert 2007
Commented:
Did you use the wizard /or manually created policy to allow traffic between the remote ends; if no; then you need to add policy to allow access.
You can use ANY or any other policy depending on traffic you wish to allow and configure as:
Enabled and Allowed;
from remote_ip_subnet
from local_ip_subnet
to remote_ip_subnet
to local_ip_subnet

You can create two different policies for incoming and outgoing; or just one as above.

Please update.

Thank you.

Author

Commented:
on both watchguards I have the foloowing policies

Site A
BOVPN-Allow.IN        Any   From:  Any                      To: Tunnel to Site B    Any
BOVPN-Allow.Out     Any   From: Tunnel to Site B     To:Any                        Any


Site B
BOVPN-Allow.IN        Any   From:  Any                      To: Tunnel to Site A     Any
BOVPN-Allow.Out     Any   From: Tunnel to Site A     To:Any                        Any

They were created automatically.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Policies look good.
What is the IP subnet on both sides of the VPN tunnel; also on the machines at either end; WG internal IP must be default gateway. Finally, ensure that there is no personal firewall/antivirus blocking the traffic.

Author

Commented:
Tunnel Routes

Site A  :   172.16.100.0/24 <==> 172.16.5.0/24
Site B  :    172.16.5.0/24 <==> 172.16.100.0/24

Gateways are correct on computers.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Is the tunnel really UP; can you post sanitized screenshots and/or logs.

Author

Commented:
Here is screenshot from Site A:
 Site A
Site B is the opposite
CERTIFIED EXPERT
Top Expert 2007

Commented:
Sent 0; received 0; interesting...looks like no packet is getting routed over the tunnel.

Can you post sanitized screenshot of VPN config from both the boxes; gateway, tunnel, routing policy, firewall policy from both the boxes.

Author

Commented:
Site A
 gateway tunnel vpn out vpn in
Site B is the opposite

Author

Commented:
Here is some logs from Site B

2011-11-04 14:04:48 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:48 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended        Debug
2011-11-04 14:04:48 iked ike_process_pkt : ProcessData returned error (-1)         Debug
2011-11-04 14:04:51 iked IkeLifeTimeout : remove the p1sa struct 183b78 (peer 70.x.x.x) in DELETING state        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: try to delete Isakmp SA 0x183b78        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: (DELETING) Isakmp SA 183b78 peer 70.x.x.x        Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: pcyName Hondo numP1SAActive 1        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: found it, remove IkeSA 183b78 from IkePolicy        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: from pcy list, P1SANum created 11, active 1        Debug
2011-11-04 14:04:51 iked IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 115 peer1 0x0ccd18e4 peer2 0x46fcebc6        Debug
2011-11-04 14:04:51 iked (Delete P1SA) rasUserCapacity 1 count 0          Debug
2011-11-04 14:04:51 iked (Delete P1SA) maxPendingP2SARequest 128 current 0         Debug
2011-11-04 14:04:51 iked ******** RECV an IKE packet at 12.x.x.x:500(socket=11 ifIndex=2) from Peer 70.x.x.x:500 ********        Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: -->        Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [IPAD_mu] dev=anyE, pkt if[2]=eth0        Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [Hondo] dev=eth0, pkt if[2]=eth0        Debug
2011-11-04 14:04:51 iked Found IKE Policy [Hondo, dev=eth0] for peer IP=70.x.x.x, numXform=1, pkt ifIndex=2        Debug
2011-11-04 14:04:51 iked IKE Policy details: 1th xform: grp=2 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0        Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: <--        Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:51 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended        Debug
2011-11-04 14:04:51 iked ike_process_pkt : ProcessData returned error (-1)         Debug
CERTIFIED EXPERT
Top Expert 2007

Commented:
All settings look good.

Doesn't look like that the VPN tunnel is UP; I see retransmists ignored and phase I cookies deleted.

Can you remove all VPN settings from the box. Save to flash [box reboots]; then add VPN settings again and again save and flash and check results [one by one on each box].

Thank you.

Author

Commented:
Tried it but same issue.

Active tunnel but no send/recieve data.
Can you try and run a traceroute to one of the sites and see if you get to the firewall or the remote firewall?

also check if there aren't any persistent routes for some reason in one of the boxes.

Author

Commented:
Site A has a persistent route to 172.16.5.0
I will test the traceroute and let you know.

Author

Commented:
We have two sets of IP blocks that were assisgned to use for our internet.
For testing Iam using both set in case.
Site A 70.x.x.x
Site B 12.x.x.x

Would this cause an issue?
Once in production the XTM will have a diffent ip.

When I did the tracerout, 1st hop was the internal ip of firewalls and 2nd hop was gateway off the 70.x.x.x   then it times outs.  This was on both devices

Author

Commented:
my mistake Site A doses not have a persistant route to that subnet.
that is a problem.
If you do a traceroute to : 172.16.100.x from site B, it should NOT pass the gateway for 70.x.x
it should have
 
1 firewall of site B
2 firewall of site A
3 destination

Can you please make sure there are no static routes at all?
Also try to ping / traceroute the other site from the watchguard's traffic monitor

Open system manager-->traffic monitor-->rightclick on some traffic --> diagnostic task--> ping or traceroute --> try to ping an INTERNAL IP from the other site, and see if the watchguard is successfull, also try a traceroute that way
Commented:
I recreated the BOVPN.

For Site A - 172.16.x.x
For Site B - 192.168.x.x

The issue was that we were using 172.16.5.0 on Site A and I was trying to use it for SIte B. This caused a conflict.

I am now seeing traffic flow between the two devices.
lol :)
glad u solved it )

Author

Commented:
Thanks everyone for trying to help me resolve this.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.